Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

5

26e8f47f12...18.exe

windows7-x64

7

26e8f47f12...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    117s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    08/10/2024, 23:15 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe

  • Size

    5.5MB

  • MD5

    26e8f47f120d9acbba85c8dc825a07d3

  • SHA1

    dc0c552363c2426f10810141d7195452f4ecc70a

  • SHA256

    e0efc867eeb0a7367b8d60f215631652c4f7e86be964c25c697f1240738ba302

  • SHA512

    5990b5eea1253d6466010ee8ce3b393580b2628c1817492d3a5ca533f541299c3c6392fab171eff7c225878738b8a457c8a8f8fce2ae787b48534835e8f20738

  • SSDEEP

    98304:KJYj2fjWTrgBTzBdLB/35mCckFR+vicS43:AU6yTEBv1B33FR+6c

Score
7/10
discoveryupx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Users\Admin\AppData\Local\Temp\26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of UnmapMainImage
      PID:2840

Network

  • flag-us
    DNS
    cutit.org
    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    cutit.org
    IN A
    Response
    cutit.org
    IN A
    172.232.25.148
    cutit.org
    IN A
    172.232.4.213
    cutit.org
    IN A
    172.232.31.180
  • flag-us
    DNS
    q.gs
    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    q.gs
    IN A
    Response
    q.gs
    IN A
    172.67.193.84
    q.gs
    IN A
    104.21.84.133
  • flag-us
    GET
    http://q.gs/EVnYC
    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    Remote address:
    172.67.193.84:80
    Request
    GET /EVnYC HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: q.gs
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Moved Temporarily
    Date: Wed, 09 Oct 2024 06:06:19 GMT
    Content-Type: text/html
    Content-Length: 143
    Connection: keep-alive
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Location: https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://q.gs/EVnYC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k7SMxLyvKaNpP3ZiCIZlNRBnYSgxrHSjvq4E6M%2BvBVmHe84rTBYjkTKecY07mVkguWy32Yp9uCXhC%2BBVLfNH%2BSZ7TxfSM%2BNQn25rBIJAiOSLjZrOwj1R"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Speculation-Rules: "/cdn-cgi/speculation"
    Server: cloudflare
    CF-RAY: 8cfc2f1d6e48773d-LHR
    alt-svc: h2=":443"; ma=60
  • flag-us
    DNS
    publisher.linkvertise.com
    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    publisher.linkvertise.com
    IN A
    Response
    publisher.linkvertise.com
    IN A
    104.22.22.72
    publisher.linkvertise.com
    IN A
    172.67.31.186
    publisher.linkvertise.com
    IN A
    104.22.23.72
  • flag-us
    GET
    https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://q.gs/EVnYC
    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    Remote address:
    104.22.22.72:443
    Request
    GET /adfly-hard-migrator/url?url=http://q.gs/EVnYC HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: publisher.linkvertise.com
    Response
    HTTP/1.1 302 Found
    Date: Wed, 09 Oct 2024 06:06:20 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    location: https://linkvertise.com/adfly-notice
    Cache-Control: no-cache, private
    vary: Origin
    set-cookie: laravel_session=j2hFxche61tdXUtMhJQ9J5WMagkp1wHwWXKrutE7; expires=Thu, 09 Oct 2025 06:06:20 GMT; Max-Age=31536000; path=/; domain=.linkvertise.com; httponly
    CF-Cache-Status: DYNAMIC
    Set-Cookie: __cf_bm=T6RnWwJvOsRYv2zqBdJ.S5sm.4yw64NhSW8VrKsnpDg-1728453980-1.0.1.1-nhuC5U_DG8g9TmR8RtjcU5FqoL6yQINejupYmM1DgITSdlyG.B5RsO4am4Ef6pSX9ms0uapM1VJeo4tOEqavmw; path=/; expires=Wed, 09-Oct-24 06:36:20 GMT; domain=.linkvertise.com; HttpOnly; Secure; SameSite=None
    X-Frame-Options: sameorigin
    Server: cloudflare
    CF-RAY: 8cfc2f208a666382-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    c.pki.goog
    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.187.195
  • flag-gb
    GET
    http://c.pki.goog/r/gsr1.crl
    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    Remote address:
    142.250.187.195:80
    Request
    GET /r/gsr1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 1739
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Wed, 09 Oct 2024 05:53:38 GMT
    Expires: Wed, 09 Oct 2024 06:43:38 GMT
    Cache-Control: public, max-age=3000
    Age: 762
    Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-gb
    GET
    http://c.pki.goog/r/r4.crl
    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    Remote address:
    142.250.187.195:80
    Request
    GET /r/r4.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 436
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Wed, 09 Oct 2024 05:53:45 GMT
    Expires: Wed, 09 Oct 2024 06:43:45 GMT
    Cache-Control: public, max-age=3000
    Age: 755
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    linkvertise.com
    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    linkvertise.com
    IN A
    Response
    linkvertise.com
    IN A
    104.22.22.72
    linkvertise.com
    IN A
    104.22.23.72
    linkvertise.com
    IN A
    172.67.31.186
  • flag-us
    GET
    https://linkvertise.com/adfly-notice
    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    Remote address:
    104.22.22.72:443
    Request
    GET /adfly-notice HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: linkvertise.com
    Cookie: laravel_session=j2hFxche61tdXUtMhJQ9J5WMagkp1wHwWXKrutE7; __cf_bm=T6RnWwJvOsRYv2zqBdJ.S5sm.4yw64NhSW8VrKsnpDg-1728453980-1.0.1.1-nhuC5U_DG8g9TmR8RtjcU5FqoL6yQINejupYmM1DgITSdlyG.B5RsO4am4Ef6pSX9ms0uapM1VJeo4tOEqavmw
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 06:06:20 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Cache-Control: public, max-age=0, must-revalidate
    Link: <//cdn.exmarketplace.com>; rel="preconnect", <//securepubads.g.doubleclick.net>; rel="preconnect"
    referrer-policy: strict-origin-when-cross-origin
    x-content-type-options: nosniff
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3A2ARfB1pm26IHxe5YHbJTVN%2BSimEVWsBYhltSoAF0os7CC4uySr5xTyCEO6VjJjL7FAXWFM7mgOnTDP4CBIdxX0nZdAKrTbvr9TZkQ4Z%2Bg8rpb5nNcy0tjTPEMWIKiA0Ms%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Vary: Accept-Encoding
    Speculation-Rules: "/cdn-cgi/speculation"
    CF-Cache-Status: DYNAMIC
    X-Frame-Options: sameorigin
    Server: cloudflare
    CF-RAY: 8cfc2f226aa879c3-LHR
  • flag-us
    DNS
    crl.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    crl.microsoft.com
    IN A
    Response
    crl.microsoft.com
    IN CNAME
    crl.www.ms.akadns.net
    crl.www.ms.akadns.net
    IN CNAME
    a1363.dscg.akamai.net
    a1363.dscg.akamai.net
    IN A
    2.19.117.18
    a1363.dscg.akamai.net
    IN A
    2.19.117.10
  • flag-gb
    GET
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    Remote address:
    2.19.117.18:80
    Request
    GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Wed, 01 May 2024 09:28:59 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1036
    Content-Type: application/octet-stream
    Content-MD5: 8M9bF5Tsp81z+cAg2quO8g==
    Last-Modified: Thu, 26 Sep 2024 02:21:11 GMT
    ETag: 0x8DCDDD1E3AF2C76
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: b28c4ea1-d01e-0016-0ebc-0fa13d000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Wed, 09 Oct 2024 06:06:50 GMT
    Connection: keep-alive
  • flag-us
    DNS
    www.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    92.123.241.137
  • flag-gb
    GET
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    Remote address:
    92.123.241.137:80
    Request
    GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Mon, 03 Jun 2024 21:25:24 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: www.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1078
    Content-Type: application/octet-stream
    Content-MD5: cyz+t2uRxNE5eKALjGZu1w==
    Last-Modified: Sun, 18 Aug 2024 00:23:49 GMT
    ETag: 0x8DCBF1C07FCB4BF
    x-ms-request-id: 2d7f7efa-901e-005a-1d06-f1310d000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Wed, 09 Oct 2024 06:06:50 GMT
    Connection: keep-alive
    TLS_version: UNKNOWN
    ms-cv: CASMicrosoftCV518287fb.0
    ms-cv-esi: CASMicrosoftCV518287fb.0
    X-RTag: RT
  • 172.232.25.148:443
    cutit.org
    tls
    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    390 B
     219 B
     5
    5
  • 172.232.25.148:443
    cutit.org
    tls
    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    352 B
     219 B
     5
    5
  • 172.232.25.148:443
    cutit.org
    tls
    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    288 B
     219 B
     5
    5
  • 172.232.25.148:443
    cutit.org
    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    190 B
     92 B
     4
    2
  • 172.67.193.84:80
    http://q.gs/EVnYC
    http
    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    428 B
     1.1kB
     6
    4

    HTTP Request

    GET http://q.gs/EVnYC

    HTTP Response

    302
  • 104.22.22.72:443
    https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://q.gs/EVnYC
    tls, http
    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    1.0kB
     4.8kB
     10
    10

    HTTP Request

    GET https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://q.gs/EVnYC

    HTTP Response

    302
  • 142.250.187.195:80
    http://c.pki.goog/r/r4.crl
    http
    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    554 B
     3.8kB
     7
    5

    HTTP Request

    GET http://c.pki.goog/r/gsr1.crl

    HTTP Response

    200

    HTTP Request

    GET http://c.pki.goog/r/r4.crl

    HTTP Response

    200
  • 104.22.22.72:443
    https://linkvertise.com/adfly-notice
    tls, http
    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    2.1kB
     53.0kB
     29
    48

    HTTP Request

    GET https://linkvertise.com/adfly-notice

    HTTP Response

    200
  • 2.19.117.18:80
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    http
    399 B
     1.7kB
     4
    4

    HTTP Request

    GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

    HTTP Response

    200
  • 92.123.241.137:80
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    http
    393 B
     1.7kB
     4
    4

    HTTP Request

    GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

    HTTP Response

    200
  • 8.8.8.8:53
    cutit.org
    dns
    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    55 B
     103 B
     1
    1

    DNS Request

    cutit.org

    DNS Response

    172.232.25.148
    172.232.4.213
    172.232.31.180

  • 8.8.8.8:53
    q.gs
    dns
    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    50 B
     82 B
     1
    1

    DNS Request

    q.gs

    DNS Response

    172.67.193.84
    104.21.84.133

  • 8.8.8.8:53
    publisher.linkvertise.com
    dns
    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    71 B
     119 B
     1
    1

    DNS Request

    publisher.linkvertise.com

    DNS Response

    104.22.22.72
    172.67.31.186
    104.22.23.72

  • 8.8.8.8:53
    c.pki.goog
    dns
    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    56 B
     107 B
     1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.187.195

  • 8.8.8.8:53
    linkvertise.com
    dns
    26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    61 B
     109 B
     1
    1

    DNS Request

    linkvertise.com

    DNS Response

    104.22.22.72
    104.22.23.72
    172.67.31.186

  • 8.8.8.8:53
    crl.microsoft.com
    dns
    63 B
     162 B
     1
    1

    DNS Request

    crl.microsoft.com

    DNS Response

    2.19.117.18
    2.19.117.10

  • 8.8.8.8:53
    www.microsoft.com
    dns
    63 B
     230 B
     1
    1

    DNS Request

    www.microsoft.com

    DNS Response

    92.123.241.137

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\26e8f47f120d9acbba85c8dc825a07d3_JaffaCakes118.exe
    Filesize

    5.5MB

    MD5

    70df69169e52646b9aad4ba9f5bd5935

    SHA1

    05ed5a6124e7f739107b529adb1311697569ce35

    SHA256

    5aa4558a489e9bc3894e1c4e50373b58dd4ad697d54b076753d32c3da9fc163e

    SHA512

    da6b8982442db39268f0d0aa21eb7197f8bc6330fe8f9592b10db6b2671ad2c94accde2899e0eaacbb33f8b5b3da539268dfa304822f5a57faa4f90c6ce44cd8

    Download Submit

  • memory/2820-0-0x0000000000400000-0x0000000000D9E000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2820-1-0x0000000000400000-0x0000000000605000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2820-7-0x00000000021E0000-0x000000000243A000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2820-15-0x0000000004380000-0x0000000004D1E000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2820-14-0x0000000000400000-0x0000000000605000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2820-43-0x0000000004380000-0x0000000004D1E000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2840-17-0x0000000000400000-0x0000000000D9E000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2840-18-0x0000000002220000-0x000000000247A000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2840-44-0x0000000000400000-0x0000000000D9E000-memory.dmp

    Filesize

    9.6MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.